Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 05:58
Behavioral task
behavioral1
Sample
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
Resource
win10v2004-20240709-en
General
-
Target
6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc
-
Size
235KB
-
MD5
6665ab44db118b972ce2a88e66118fb8
-
SHA1
fee2da365e916da5c67e7c9ac1f011651b538009
-
SHA256
3fb97d9c2e1864424882af8744978f5c367b27f5fa6b2a857621f126e758a6f9
-
SHA512
0ebcd4d975f56369d1b53b9c3c0f78a4a2e5bd1e1a28a083286d08318bdc3372b793811b5fd692de9fbcc5132f960c3a1b32149ee35b1386e70bfc7f5cd9f71b
-
SSDEEP
1536:zterThwxEM5OsmqrmrAK9hbZQHrTPUyZK/dRYiX/CN7Ta861YrkyXkHx:zUwxv5OsmqrmrAKHigdSivCFTH6C2Hx
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 680 WINWORD.EXE 680 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeAuditPrivilege 1240 EXCEL.EXE Token: SeAuditPrivilege 3484 EXCEL.EXE Token: SeAuditPrivilege 3760 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 680 WINWORD.EXE 680 WINWORD.EXE 680 WINWORD.EXE 680 WINWORD.EXE 680 WINWORD.EXE 680 WINWORD.EXE 680 WINWORD.EXE 1240 EXCEL.EXE 1240 EXCEL.EXE 1240 EXCEL.EXE 1240 EXCEL.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 244 WINWORD.EXE 3484 EXCEL.EXE 3484 EXCEL.EXE 3484 EXCEL.EXE 3484 EXCEL.EXE 3760 EXCEL.EXE 3760 EXCEL.EXE 3760 EXCEL.EXE 3760 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6665ab44db118b972ce2a88e66118fb8_JaffaCakes118.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:680
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1240
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:244
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5c25fa00d2d50c763284dc06088a9ce8b
SHA1ded8a9c797ea71730b30317ee314050503f2a2dc
SHA25647bc3bd953888b201be49187a14c2e959c2b756b725928c6bb1d9be87ebd9bf5
SHA512b5b4be49ee0f75afbe48a9d9d3c39feb74d9510d45a5d315d1cdfd52f9f8c0bc1fba633667dff0ec898ba403aa025c5a3d8326e952211953eedc9217496ee526
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD538b7e00f7697bf718f9a716c812ea9e9
SHA1c3c18dffe6b0caf945f1e07246fcdd9c1ba3c0f9
SHA2565c21609d3dbfc78a0a8e6b158f15a91d88b88c2b29b01a53a68003dab86377da
SHA512d761f053f8638d31617f3242fe3cf75c086aa5fea470bb88dbbe05acbe18c5e2306ae619a37eb4d28340b0661be12d50b8923bf11aeacebd2643553ee1b6d7c8
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
512KB
MD5f240f53760a5369616d3ffd3853c2b7c
SHA1e989e9b7b7be55f1cbe421d75dba75b00a520b4e
SHA2566ab507df3a892ce5da3070537efb9a09f1d62e550fb2db852345ce50e825b5e7
SHA512050f191ccf2087f9abff07d28d4ae277588094d23921a61673f316a3bfbf588beec2f4b5b7b4a229e3406e213b6769a504ce9c7ba38806615d30106efecd30c8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B9954090-4C98-4FBC-BBB8-980782258929
Filesize169KB
MD5be840eb49d101f3a75065d44f66a3c5e
SHA1cf2776081112b36af9ec4201141ba78b2f58919e
SHA25665b52e584306a7238b3ce04895ac9327bcc94ca0947b369a9e7536402c697460
SHA51295873db2e55544f55fcf2dbd6eb56d2f18729b4e33ab95aea4cb982527dcaa0fcd51aeb6a7d9e04aa2e3da9ec90c93b70a3964e03074611395407b6ab6bfed3d
-
Filesize
323KB
MD567f36f3c0ac40b3318b0241f929fe06b
SHA17b9aee92f248b674b974a8469fd0b0ddddf6243d
SHA25659f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2
SHA512d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279
-
Filesize
333KB
MD5e7f663ce715a2b74c17a013567b05926
SHA12b281c8ca9e1832394d0561a7cd6217393141545
SHA25626776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b
SHA5125600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2
-
Filesize
10KB
MD501820ff52f9ff682a6a92e3b709f0b47
SHA1beed169d60fd9706b138830d71112844c2073b6d
SHA256b0cda4f8182364a1a4a296235aaa39283f4d8c7cdf4687a70ac743af37e373b4
SHA512615ec1faa48c8e1d0026fc91d14b9dd3b69a33208d720303bcb1a18771eec75042dfbcff894c7919715521d241345a2a513d5ffedca698fb42d8aadebc7c3fa3
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
24KB
MD533eea2792b9fa42f418d9d609f692007
SHA148c3916a14ef2d9609ec4d2887a337b973cf8753
SHA2568f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb
SHA512b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95
-
Filesize
8KB
MD54cdf46aafd05efde11ddbd5c364886f7
SHA1cc0fdb5ef31a5dbaa1aa83c5a8606cbd712d900c
SHA2566ba675582cbb35e705c8b1a9e3fcca4c91aa5767b5e973f3b2ea203b4273c791
SHA51211f00a0e883c13991508e9f93fd61d1684164cb0a2447e2e04b31514224b7f500dbdd38c0392a045cd57e4747b8df2641a699fa02406a0e0beb9f3ea55e4e91d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5b2dc21270de71e4e86fa6d5bcfb14b9d
SHA11055788d259d2b7f5320daa0bd1e264143a1419f
SHA256f3cdc080eefe793c20a33164fb3afe6e70b023af14ba32c264cc58640d6f45b6
SHA512c1e9c05a3e5e8365702a52e7a58664d1fd5319b639a9c20a3448e79259a22722a72350a3407fbdccc669f5a43d632958dd903130f17c4a49e3f4b11cf140d4e1
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD50ebf77521e0bdb8c28b2d704214dec59
SHA144f7ae69aeba1d87a47e4f55a34d29c2e66b8e66
SHA256cae991e429fdbae63827958efedec2e5b5ec6caf20732dc57f527f4f1c1e1715
SHA51262b3ebe3c9ec462be380d202d576b0ba82935e0f2420c90d609ee299d30d2eff0d34b6ef86356c0aeda314377b10344a0ede402d287ef49c6534068d1e02e331
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
148KB
MD53a13f5a6790d934300e7c86dc1ac9d0c
SHA1c7c8b574d08d612b514bae55d86d89ab6b39e89b
SHA2561c4403d83fa81af3e40a14b5ce89297135be7e89eb4b5b016ca8f37d0a2fb7ee
SHA512c41a02720799810457753d108821370920ef3500d8e06b5d500ed72d770d9c50f9bb3deff41af26410d3692dfde97860033a62e954b08a97353ba104d1a0772c
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84